On 16 November 2018, the EDPB published its draft guidance on the application of the GDPR to entities based outside the EEA. The GDPR can apply to non-EEA based entities if they satisfy either: (1) the "establishment criterion" or (2) the "targeting criterion. The draft guidance allows us to assess how these tests will apply in practice. The draft guidance also discusses the appointment of an EU representative.
This guidance is in draft form and is subject to change but it does indicate how the EEA supervisory authorities are likely to assess the application of GDPR to non-EEA entities - such as whether simply using cookies on your website (which is accessible in the EEA) or quoting prices in Euros (as well as US dollars) means that you are likely to be caught, despite the fact that you are not based in the EEA.
What does the GDPR say?
The relevant provisions in the GDPR are:
- Article 3(1), which concerns whether data is processed in the context of an establishment in the EEA (regardless of whether the processing takes place in the EEA or not) and
- Article 3(2), which concerns whether personal data of subjects in the EEA is being processed, in relation to either: a) the offering of goods or services, or b) the monitoring of their behaviour.
Establishment in the EEA
You are caught by GDPR if you process personal data in the context of an establishment in the EEA. The EDPB sets out a multi-stage test for assessing whether an entity satisfies the establishment criterion, which we have summarised below:
- "An establishment in the EEA". The key here is whether an entity has real and effective activities in the EEA through stable arrangements. The presence of a single employee or agent can be sufficient to demonstrate this, so a US entity with an EEA branch (or even an agent in the EEA) may be caught. In our view, many non-EEA entities who conduct business in the EEA will be caught by this limb of the test.
However, you would not be brought within scope of GDPR simply by using an EEA based processor. For example, if you are a Canadian data controller and use a processor based in the EEA, the GDPR will not automatically apply to your activities merely because of your choice of processor location, even though the EEA processor should comply with the GDPR requirements placed on processors (such as record retention, security measures and co-operation with the supervisory authorities).
- "in the context of the activities of an establishment". The processing must be carried out in the context of the activities relating to that EEA establishment.
For example, an e-commerce website based in China (with all data processing activities taking place in China) is caught by GDPR if it has a UK office which leads and implements commercial prospection and marketing campaigns. This is because the activities of the European office (i.e. revenue raising) are directly and intrinsically linked to the processing of data by the Chinese company.
- "regardless of whether the processing takes place in the EEA or not". However, the actual place of processing is not relevant in this assessment. A Singapore branch of an EEA controller which processes data on behalf of that EEA controller would need to comply with the GDPR. So a controller subject to the GDPR will need to comply with the GDPR even when handling data relating to non-EEA data subjects (for example, a UK entity processing data from US data subjects).
In addition to the establishment criterion, you can also be caught by GDPR if you offer goods or services to individuals in the EEA, or if you monitor behaviour which takes place in the EEA. In order to be caught in this way, you must fulfil the following targeting criterion:
- "Data subjects in the EEA". The targeting criterion applies to any data subjects who are in the EEA and is not limited by citizenship or residence. So, for example, it would apply if a US-based business (with no presence in the EEA) offered goods or services to US residents travelling in the EEA (the example used in the guidance is a city-mapping application for tourists travelling in the EEA).
- "Offering of goods or services to data subjects in the EEA". The offer needs to be specifically directed to data subjects in the EEA. The EDPB gives examples of situations where you may be seen to offer goods or services to EEA data subjects such as: using an EEA language or currency; mentioning users who are in the EEA; launching marketing or advertising campaigns directed at EEA audiences; providing dedicated contact details for EEA users; or using an EEA-specific top level domain. In these instances, you may be caught by the GDPR, regardless of whether you are based (or established) in the EEA.
This is a concern for non-EEA companies and could mean that activities such as placing tracking cookies on a site which is accessed by individuals in the EEA may be sufficient to satisfy this test. Whilst the EDPB states that it does not consider that online collection of personal data will automatically count as monitoring (as this will depend upon the purpose of the processing and any subsequent behavioural analysis or profiling), it is clear that a broad range of operations will potentially be caught.
This guidance does give some assistance in assessing how supervisory authorities in the EEA are likely to interpret the territorial application of GDPR to entities outside the EEA, but there are plenty of grey areas which are open to interpretation. For example, if you collect cookie data from data subjects in the EEA and carry out profiling on this data, then will you be caught by GDPR, despite the fact that you may be based outside the EEA? Or does the fact that a US company has an option to display its website in German mean that it is offering goods or services to data subjects in the EEA and therefore subject to GDPR?
In our view, the guidance is useful but assessments will need to be made on a case-by-case basis and will depend largely on the individual facts and background. It is possible that this will be clarified as a result of the public consultation but, if not, then many non-EEA entities will need to continue to take a cautious approach when offering goods or services or targeting individuals in the EEA (or even carrying out activities which could be viewed as targeting individuals in the EEA).